Oracle Encryption using NNE on Windows

Imagine a client has the need to encrypt data in transit we have 2 options using Oracle Database that, they are Native Network Encryption (NNE) and Transport Layer Security (TLS).

NNE is the simpler of the 2 to setup and should require no changes to application connection details.

To setup NNE we simply update the database network file called sqlnet.ora with Security settings we need. There are 2 types of setting as below:

Encryption, typical algorithms for this are AES[nnn] the larger the [nnn] the higher the encryption, AES192 or AES256 are normal settings for this
Integrity, typical algorithms for this are SHA[nnn] the larger the [nnn] the higher the integrity, SHA256 or SHA512 are normal settings for this

Is AES 256 crackable?
AES 256 is virtually impenetrable using brute-force methods

How secure is SHA-256?
SHA-256 is one of the most secure hashing functions on the market.

Some application may not support higher settings so it can be normal to see the more widely used AES256 and SHA256 setting in play.

Based on the above we will configure NNE for:

Encryption using : AES256
Checksum using : SHA256

When defining NNE we also must define how the protocol is handled using below:

ACCEPTED : The client or server will allow both encrypted and non-encrypted connections. This is the default if the parameter is not set.
REJECTED : The client or server will refuse encrypted traffic.
REQUESTED : The client or server will request encrypted traffic if it is possible, but will accept non-encrypted traffic if encryption is not possible.
REQUIRED : The client or server will only accept encrypted traffic.

So to force NNE on all connections we will use the below settings in the sqlnet.ora:

#DB Server Encryption settings
SQLNET.ENCRYPTION_SERVER = REQUIRED
SQLNET.ENCRYPTION_TYPES_SERVER = (AES256)

#DB Server Checksum Client settings
SQLNET.CRYPTO_CHECKSUM_SERVER = REQUIRED
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA256)

Where is the sqlnet.ora?

This could be located in many places based on setup and also %TNS_ADMIN% setting, but usually its either in one of the 2 places below and the same location as tnsnames.ora and listener.ora

%ORACLE_HOME%\network\admin for a read write Oracle Home
- example: D:\app\oracle\product\19.3.0\dbhome_1\network\sqlnet.ora
%ORACLE_BASE_HOME%\network\admin for a read write Oracle Home
- example: D:\app\oracle\homes\OraDB19Home1\network\sqlnet.ora

If using Oracle Restart then sqlnet.ora could also be under GRID HOME, where it would probably be safer to update both the oracle and grid sqlnet.ora files.

%GRID_HOME%\network\admin for a read write Grid Home
%GRID_BASE_HOME%\network\admin for a read write Grid Home

Also tnsping can also show location of sqlnet.ora as below:

tnsping orcl

TNS Ping Utility for 64-bit Windows: Version 19.0.0.0.0 – Production on 02-APR-2024 16:13:09
Copyright (c) 1997, 2019, Oracle. All rights reserved.
Used parameter files:
D:\app\oracle\product\19.3.0\dbhome_1\network\admin\sqlnet.ora

Create a backup of existing sqlnet.ora file

Edit sqlnet.ora file and add the settings :

#DB Server Encryption settings
SQLNET.ENCRYPTION_SERVER = REQUIRED
SQLNET.ENCRYPTION_TYPES_SERVER = (AES256)
#DB Server Checksum Client settings
SQLNET.CRYPTO_CHECKSUM_SERVER = REQUIRED
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA256)

Now any new connections using TNS to the database will be encrypted, to be 100% sure all connections are encrypted a database bounce could also be done as existing connections won’t use encryption.

How can I check NNE is now being used?

col NETWORK_SERVICE_BANNER for a160
select network_service_banner from v$session_connect_info
where sid in (select distinct sid from v$mystat)
and (network_service_banner like '%AES%'
or network_service_banner like '%SHA%');

set lines 260
col NETWORK_SERVICE_BANNER for a90
col username for a20

select s.username, sci.sid, sci.serial#, s.program, sci.NETWORK_SERVICE_BANNER
from
v$session s, v$session_connect_info sci
where s.sid=sci.sid
and s.serial#=sci.serial#
and NETWORK_SERVICE_BANNER like '%256%'
and username is not null
order by username
/

select network_service_banner from v$session_connect_info
where sid in (select distinct sid from v$mystat)
/

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.